Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Secure website - Database Login

Posted on 2007-08-08
7
Medium Priority
?
406 Views
Last Modified: 2013-11-25
I have a ASP.NET application with a MaxDB(SAP) database.  Currently I am storing all connection string info in the webconfig file.

What I would like to know is what is the best way to secure the application?

Also is there a way to send the username and password the user inputs on the login screen as variables to the connection string?
0
Comment
Question by:triplebd69
  • 4
  • 2
7 Comments
 
LVL 18

Expert Comment

by:DropZone
ID: 19656012
If you are trying to secure your application, the last thing you want to do is accept account information from external users.  The most common way is to create a single user login for the web application to use, and have this stored in the Web.Config file (encrypted, if possible).  That way, you can properly manage access to the database and its resources.  This login should be exclusive for the web application, and no user should have access to it.

If you are interested in web application security, you may also want to check out the OWASP Top 10 list of common web application vulnerabilities:
http://www.owasp.org/index.php/OWASP_Top_Ten_Project

    -dZ.
0
 
LVL 7

Expert Comment

by:Abu Hamdan
ID: 19660432
Hello,

Securing the ASP.Net application can be done by using many methods like Forms authentication, LDAP, ..etc. And also you can pass user name and password to connectionstring on web config ,, since when you are getting the connection  string from web.config you can control it ,, for me i always have to decrypt the password that is placed on connectionstring to acced db.

0
 
LVL 18

Expert Comment

by:DropZone
ID: 19660974
>> "And also you can pass user name and password to connectionstring on web config ,, since when you are getting the connection  string from web.config you can control it"

As I said, although possible, this is not wise as you want to control access to the database.  You also want to separate login access to the database with login access to the site, or else risk increasing your attack surface by enabling a malicious user that gained access to your web site to access directly your database too.

Perhaps it would be useful if you explained a bit more what you mean by "secure the application".  Is it a password-protected site that you want to harden with proper security practices; or do you want to know how to add password-protection to your site?  If the former, check out the OWASP Top Ten link I sent.  If the latter, then hammdan is right:  you could use FormsAuthentication, etc.

    -dZ.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 

Author Comment

by:triplebd69
ID: 19662803
I just want a want make sure the site is not going to be accessed by unauthorized users and can't get to the database.  Currently the app doesn't have any password protection and the only passwords used are to gain access to the db for queries.
0
 
LVL 18

Accepted Solution

by:
DropZone earned 2000 total points
ID: 19662949
Then may I suggest the following approach, based on best practices:

- Create a single database user login specifically for the web application to access the database.  This login will not be used by anybody else except by the application, so that any database requests from this login are known to be from it.

- Set the login information as part of your connection string in the Web.Config file (preferrably encrypted).  This is because IIS and the ASP.Net framework have mechanisms in place to specifically protect this file from outside attack.

- Create a table in your database for login information for the users of the web application.  This should contain at minimum a unique username and a password -- again it is very much recommended that it be encrypted or hashed.  Hashed is the preferred method because it prevents the plain-text password from being discovered from the one-way hash string.

- Set the web application to use FormsAuthentication (in the authorization section of the Web.Config).  When a user is going to "log-in" to your site, you perform a query to the database to see if the account information provided is valid, and if so, you create the AuthTicket (either manually, or by using one of the FormsAuthentication methods for doing this).  This only needs to be done once per session, and once the user is authenticated, the session can work normally.

- Alternatively, if this is an internal application (not published on the WWW), you may want to use integrated authentication, LDAP, or any of the other trusted mechanisms available from the .NET Framework.  The important thing is to allow the framework to handle the authentication and authorization for you, as it has been designed with proper security mechanisms.

Let me know if this helps.

    -dZ.
0
 

Author Comment

by:triplebd69
ID: 19663731
DropZone,

Thanks for your feedback, you have given me a lot to consider.
0
 
LVL 18

Expert Comment

by:DropZone
ID: 19663918
No problem.  I know it can seem overwhelming, but once you understand the principles behind it, its much easier to implement proper security.

This site may help you along: http://www.dotnetjunkies.com/quickstart/aspplus/doc/quickstart.aspx
In particular, check out the "Security" section.  It also has a lot of good information on many aspects of ASP.NET.

   Cheers!
     -dZ.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If I have to fix slow responding website my first thoughts are server side optimizations: the database may not be optimized or caching is not enabled, or things like that. We often overlook another major part of our web application: the client. We o…
It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
Use Wufoo, an online form creation tool, to make powerful forms. Learn how to choose which pages of your form are visible to your users based on their inputs. The page rules feature provides you with an opportunity to create if:then statements for y…
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question